In February, more than 5.3 million of these routers were used by criminals outside a home computer network to generate attack traffic - that is large volumes of requests to force target websites offline.

While routers are leveraged, their owners suffer from a degraded internet experience and potentially larger internet bills, said Bruce Van Nice, a director at Nominum.

The issue allows the hacker to craft a small "DNS" request that the router shouldn't answer but does.

Advertisement

"So someone at that home has absolutely no way of knowing that this is going on directly,'' Mr Van Nice said.

"They may see that their internet service starts to slow down either because their access connection is congested with traffic or because their home gateway is busy proxying these queries and forwarding huge answers back to a target. But they have no idea that their home router is potentially being bombarded with [these] queries.''

Nominum was working with internet providers to fix the routers affected, he said. The company had not yet been able to determine which specific routers had the configuration error. If this was able to be determined, Nominum could get the manufacturers to alert router owners to fix the issue with a security patch.

"Unfortunately, with the data we have, there is no way for us to tell what kind of router it is [that is affected]," Mr Van Nice said.

"I think consumers are, unfortunately, not in a good position to do very much at all. We actually think that the solution lies with [internet] providers better protecting their DNS."

DNS is the domain name system. When a computer on a home network requests to visit google.com, it asks the router for the website's IP (internet protocol) address. This query is then usually forwarded on to a domain name server at the internet provider, which responds with it. In Google's case, this internet address looks something like 74.125.237.201.

In the case of the vulnerability identified by Nominum, hackers are crafting junk DNS queries that should normally return small answers that are only a few bytes. Instead, the answers to the queries are so large they are able to be used with other answers to take down websites. This is what is known as a distributed-denial-of-service (DDoS) domain name system amplification attack.

Typically, such amplification attacks have not leveraged home routers and have instead used publicly accessible domain name servers - the telephone books of the internet.

Mr Van Nice said criminals making use of the amplification attacks included gamers attacking one another, the owners of small websites who attacked each other, and the owners of websites with adult content, who used the attacks to entice customers to switch from one service to another.

He said it didn't require much skill for someone to make use of the vulnerability.

A spokesman for iiNet Group, which owns a number of Australian internet providers, including iiNet, Westnet, Internode and others, said it had noticed an increase in the incidence of DNS-based denial-of-service amplification attacks in February.

This had resulted in some complaints of poor response times from its domain name servers during severe attacks, causing websites to load slowly.

"Complaints have fallen sharply after making changes to our [domain name system] resolvers to blacklist targets and limit queries," the spokesman said.

Australian security expert Troy Hunt suspected the routers affected were ones internet providers distributed to their customers but didn't properly test to make sure they were immune to amplification attacks.

An iiNet spokesman said iiNet-branded routers did not permit DNS queries outside a customer's home network. But iiNet did find that some of its customers were running incorrectly configured routers which were used in attacks.

"We've been proactively contacting customers that were generating large volumes of DNS traffic to resolve these issues," the spokesman said.

A spokesman for Telstra said attempted attacks were "a real threat" and it had "capabilities in place to detect, protect and minimise" their effects.

"As a matter of policy, Telstra will not discuss these capabilities or operational details publicly," the spokesman said.